Financial institution Flagstar subjected to a $3.5M fine for allegedly misleading conduct following a 2021 cyber assault.
Flagstar Bank Faces Regulatory Scrutiny and $3.5 Million Fine for Cybersecurity Lapses
Flagstar Bank, a major US financial institution, has been hit by a series of cyberattacks since 2021, with the latest incident exposing the personal data of over 800,000 customers. The bank's cybersecurity practices have come under scrutiny, and it has recently agreed to pay a $3.5 million fine to settle charges with the Securities and Exchange Commission (SEC).
The most recent cyberattack, which occurred in 2021, targeted Flagstar's systems through a flaw in Accellion's File Transfer Appliance software. Despite this, the bank did not disclose the details of this attack in its 2021 Form 10-K filed on March 1, 2022. The SEC found that Flagstar made materially misleading statements on its website and in financial filings about the cyberattack and its impact.
The SEC's allegations against Flagstar were not limited to the 2021 incident. The commission also accused the bank of making misleading statements regarding the scope of the Citrix breach in a notice to customers and a securities filing in June and August 2022, respectively. Flagstar neither admitted nor denied the commission's allegations, but it consented to the $3.5 million penalty and a cease-and-desist order barring it from making misleading statements in the future.
Flagstar also failed to disclose the details of the MOVEIt breach in any of its statements or filings. The bank was a victim of the 2023 breach of file transfer system MOVEIt, but it did not disclose this incident either.
The bank's cybersecurity posture, especially around transparency and disclosure practices, has been criticized. The SEC's order comes as a response to Flagstar's negligence in maintaining disclosure controls and procedures that would have ensured the bank was ready with all relevant information to make required disclosures.
The impact on customer data was significant, with millions of customers' personal information exposed, increasing risks of identity theft and financial fraud. The breaches largely stemmed from vulnerabilities in Flagstar's third-party service providers, which cybercriminals exploited.
Despite the fines and regulatory scrutiny, Flagstar Bank has not publicly disclosed any measures taken to prevent similar cyberattacks in the future, specifically in relation to Accellion's File Transfer Appliance software and MOVEIt. The bank has not admitted to any wrongdoing regarding the management of sensitive information in the second cyberattack.
References:
- SEC Charges Flagstar Bank for Misleading Statements Regarding 2021 Cyberattack
- Flagstar Bank Suffers Data Breach Affecting Over 800,000 Customers
- Flagstar Bank's 2021 Form 10-K
- Lawsuit Accuses Flagstar Bank of Misleading Customers About Cybersecurity Breaches
- Flagstar Bank Data Breach Affects Over 1.5 Million Customers
The cyberattacks on Flagstar Bank, including the incidents involving Accellion's File Transfer Appliance software and MOVEIt, have exposed the personal data of over 800,000 customers, highlighting the bank's lackluster cybersecurity measures and technology management. Despite the fines and regulatory scrutiny, Flagstar Bank has not publicly disclosed any measures taken to prevent similar cyberattacks in the future.
